Provider List pursuant to Art. 13, 28, 44 GDPR

Effective: November 2025
This overview provides information about the external service providers ("vendors", "data processors") we use pursuant to Art. 28 GDPR as well as recipients in third countries pursuant to Art. 44 et seq. GDPR.

---

1. Hosting / Infrastructure

Vercel Inc.

• Purpose: Hosting, provision of frontend, edge network, logs
• Location: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA
• Privacy: https://vercel.com/legal/privacy-policy
• DPA / SCC: https://vercel.com/legal
• Note: Use of EU and US regions. Transfers to third countries based on Standard Contractual Clauses (SCCs).

---

2. Database / Storage

Supabase Inc.

• Purpose: Database and file storage (PostgreSQL, Auth, Storage)
• Location: Supabase Inc., 970 Toa Payoh North, #07-04, Singapore 318992
• Privacy: https://supabase.com/privacy
• DPA: https://supabase.com/legal/dpa
• Note: EU region preferred; SCCs active for third-country transfers.

---

3. Payment Processing

Stripe Payments Europe Ltd.

• Purpose: Payment processing, billing, fraud prevention
• Location: 1 Grand Canal Street Lower, Dublin 2, Ireland
• Privacy: https://stripe.com/privacy
• DPA / SCC / FAQ: https://stripe.com/legal/dpa, https://stripe.com/legal/dpa/faqs
• Note: Processed within the EU by Stripe Payments Europe; intra-group transfers to the USA are based on SCCs.

---

4. Email / Communication / CRM

Customer.io (Peaberry Software Inc.)

• Purpose: Sending transactional emails, newsletters, automations
• Location: Peaberry Software Inc., 9450 SW Gemini Drive #63259, Beaverton, OR 97008, USA
• Privacy: https://customer.io/legal/privacy-policy
• DPA: https://customer.io/legal/dpa
• Note: Data transfer to the USA based on Standard Contractual Clauses (SCCs).

---

5. Product and Web Analytics

PostHog Inc.

• Purpose: Product and web analytics (usage behavior, events, feature tracking)
• Location: PostHog Inc., 965 Mission St., San Francisco, CA 94103, USA
• Privacy: https://posthog.com/privacy
• DPA: https://posthog.com/terms/dpa
• Note: Activation only after consent (§ 25 TTDSG, Art. 6(1)(a) GDPR). Transfers to third countries secured via SCCs.

---

6. Prompt / Event Telemetry

Langfuse GmbH

• Purpose: Telemetry, performance measurement, quality analysis for AI prompts
• Location: Langfuse GmbH, Schützenstraße 8, 80335 Munich, Germany
• Privacy: https://langfuse.com/privacy
• DPA: https://langfuse.com/security/dpa
• Note: Processing on European servers; pseudonymous technical data.

---

7. Authentication / Login

Google LLC (Google OAuth)

• Purpose: Single sign-on, authentication
• Location: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
• Privacy: https://policies.google.com/privacy
• DPA: https://workspace.google.com/terms/dpa_terms.html
• Note: Authentication data (e.g., email) after your consent in the OAuth dialog; SCCs for USA transfers.

---

X Corp. / Twitter Inc. (OAuth / Login)

• Purpose: Authentication via X (Twitter) account
• Location: 1355 Market Street Suite 900, San Francisco, CA 94103, USA
• Privacy: https://twitter.com/en/privacy
• Note: We only receive the profile data displayed in the consent dialog (e.g., email); transfer based on SCCs.

---

8. Community / Support

Discord Inc.

• Purpose: Community, support, exchange
• Location: Discord Inc., 444 De Haro Street #200, San Francisco, CA 94107, USA
• Privacy: https://discord.com/privacy
• Note: Independent responsibility of Discord; data processing occurs there based on Discord's terms of service.

---

9. General Notes

• We enter into contracts with all data processors pursuant to Art. 28 GDPR (Data Processing Agreement).
• Third-country transfers (e.g., USA, Singapore) occur only on the basis of Standard Contractual Clauses (SCCs) or equivalent guarantees.
• For questions or objections regarding data processing by these providers, please contact us at contact@postel.app.

---

This provider list serves transparency pursuant to Art. 13, 28, 44 GDPR and is regularly reviewed.
Last updated: November 2025.